States aren't shifting voting tech, despite ballot security concerns

By Derek B. Johnson

Mar 09, 2018

In 2015, the Brennan Center for Justice conducted a major study on voting machine security that found most states were relying on dangerously outdated hardware and software, leaving them vulnerable to hackers while doing little to provide for accurate post-election auditing.

On March 8, 2018, the center released an update to that report and found that not much has changed.

Jurisdictions in 41 states are using voting systems at least a decade out of date going into the 2018 elections, barely an improvement from the 2015 study, when 44 states reported long-obsolete voting tech. The number of states in which election officials said they must replace voting equipment by 2020 actually increased, from 31 in 2015 to 33 in 2018.

The new findings underscore how -- despite the increased attention that election security has received from experts, the media and Congress following the 2016 election -- that buzz has not necessarily translated to substantive action.

Lawrence Norden, deputy director of the Brennan Center's Democracy Program and an author of both the 2015 and 2018 reports, told FCW that it's not all bad news.

The report cites the increasing role of federal agencies like the Department of Homeland Security and the Election Assistance Commission as positive post-election developments. Norden and his co-authors say that trend will continue, whether state and local governments like it or not.

However, Norden was surprised the results around voting machines were so consistent across both reports. There are still approximately 40 million registered voters living in counties without paper ballots, including 6.5 million voters in critical swing states like Pennsylvania.

"I would have assumed that we'd continue to keep pace in the years since the 2016 election or maybe even move faster … because of all the attention to security," said Norden. "In fact, much more progress happened before 2016 than has happened since."

However, he noted that voting machine security is just one aspect of the election infrastructure. While policymakers rightly focus on it, it remains one of the more difficult aspects of the election system for hackers to meaningfully manipulate.

"There are a lot easier targets in the election system, whether it's registration system, election night reporting or tally servers…attacks against those systems are actually probably a lot easier," he said.

President Donald Trump made waves during a March 7 press conference when he said "certainly there was meddling" during the 2016 elections and endorsed more widespread use of paper ballots, something many cybersecurity experts have long called for.

"It's old fashioned, but it's always good to have a paper backup system of voting," said Trump. It's called paper. Not highly complex computers, paper, and a lot of states are doing that, they're going to a paper backup."

However, there's been little movement on this front, according to the Brennan Center study. In 2016, 14 states reported using paperless voting machines in at least some of their districts, while five used them statewide. The 2018 update found that just one of those 14 states -- Virginia -- has moved to replace its paperless voting systems.

"While many paperless systems were replaced in the years before the 2016 election, since then, the country has made remarkably little progress -- even despite repeated warnings from intelligence officials and security experts that voter verified paper records are a critical backstop against cyberattacks," write the report's authors.

State election officials continue to cite a lack of dedicated funding to replacing voting machines. Following Trump's comments, Reps. Bennie Thompson (D-Miss.) and Robert Brady (D-Pa.), co-chairs of the Congressional Task Force on Election Security, released a statement expressing appreciation for the White House's endorsement of paper ballots but noted that "replacing state voting systems takes a great deal of time and money – and many states have neither."

A bipartisan effort in the Senate to include voting cybersecurity measures via an amendment to the Department of Homeland Security authorization bill was withdrawn because of objections from several states. Sens. James Lankford (R-Okla.), Kamala Harris (D-Calif.) and Maggie Hassan (D-N.H.) plan to offer their bill as standalone legislation.

The lack of budget support has forced many state officials to look for alternative resources to update their voting infrastructure. Tech companies like Google and Cloudflare have started offering free 24-hour, year-round support services to states, counties and municipalities to protect election systems from denial-of-service and phishing attacks. Still other election officials have reported scrounging for spare parts on eBay.

During a January 2018 summit on election security, David Stafford, supervisor of elections for Escambia County, Fla., recommended that states partner with local organizations.

"Look in your own community. If you have a university, chances are there are some portion that are involved in cybersecurity," said Stafford.

Norden said it is too late to make a substantive dent in voting machine replacements or upgrades before the 2018 election. But he noted that there is plenty of time for other policies – such as instituting post-election audits for the 80 percent of the country that do have paper ballot machines – that could make a difference in ensuring election integrity.

About the Author

Derek B. Johnson is a staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.